Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw Browser Upload Allows Attackers to Read Local Files
CVE-2026-26329
GHSA-cv7m-c9jx-vg7q
Summary
A security issue in OpenClaw allows attackers who are already authenticated to access and read files on the server by uploading malicious file paths. This could compromise sensitive data. To fix this issue, update OpenClaw to version 2026.2.14 or later.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw has a path traversal in browser upload allows local file read
Original description
## Summary
Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root.
Severity remains **High** due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access.
## Exploitability / Preconditions
This is not a "drive-by" issue.
An attacker must:
- Reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints).
- Present valid Gateway auth (bearer token / password), as required by the Gateway configuration.
- In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback.
- Have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled).
If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable: `< 2026.2.14` (includes latest published `2026.2.13`)
- Patched: `>= 2026.2.14` (planned next release)
## Details
**Entry points**:
- `POST /tools/invoke` with `{"tool":"browser","action":"upload",...}`
- `POST /hooks/file-chooser` (browser control hook)
When the upload paths are not validated, Playwright reads the referenced files from the local filesystem and attaches them to a page-level `<input type="file">`. Contents can then be exfiltrated by page JavaScript (e.g. via `FileReader`) or via agent/browser snapshots.
Impact: arbitrary local file read on the Gateway host (confidentiality impact).
## Fix
Upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
This fix was implemented internally; the reporter provided a clear reproduction and impact analysis.
Fix commit(s):
- 3aa94afcfd12104c683c9cad81faf434d0dadf87
Thanks @p80n-sec for reporting.
Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root.
Severity remains **High** due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access.
## Exploitability / Preconditions
This is not a "drive-by" issue.
An attacker must:
- Reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints).
- Present valid Gateway auth (bearer token / password), as required by the Gateway configuration.
- In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback.
- Have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled).
If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable: `< 2026.2.14` (includes latest published `2026.2.13`)
- Patched: `>= 2026.2.14` (planned next release)
## Details
**Entry points**:
- `POST /tools/invoke` with `{"tool":"browser","action":"upload",...}`
- `POST /hooks/file-chooser` (browser control hook)
When the upload paths are not validated, Playwright reads the referenced files from the local filesystem and attaches them to a page-level `<input type="file">`. Contents can then be exfiltrated by page JavaScript (e.g. via `FileReader`) or via agent/browser snapshots.
Impact: arbitrary local file read on the Gateway host (confidentiality impact).
## Fix
Upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
This fix was implemented internally; the reporter provided a clear reproduction and impact analysis.
Fix commit(s):
- 3aa94afcfd12104c683c9cad81faf434d0dadf87
Thanks @p80n-sec for reporting.
nvd CVSS3.1
6.5
nvd CVSS4.0
7.1
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26329
- https://github.com/advisories/GHSA-cv7m-c9jx-vg7q
- https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0da... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product Release Notes
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026